Add an overlay to the oauth2-proxy application to add your subdomain. This configures oauth.
resources: - ../../oauth2-proxy patches: - target: name: istio-ingressgateway-oauth2-proxy|istio-ingressgateway-require-jwt kind: AuthorizationPolicy group: security.istio.io patch: | - op: add path: /spec/rules/0/to/0/operation/hosts/- value: <subdomain>.<domain>
Add a Gateway to configure TLS certificates to your subdomain. This configures ssl.
apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: gateway spec: selector: app: istio-ingressgateway istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: istio-gateway-certificate-tls hosts: - <subdomain>.<domain>Add a VirtualService to route traffic to the subdomain to your workloads
apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: virtual-service spec: gateways: - gateway hosts: - <subdomain>.<domain> http: - route: - destination: host: <service-name>.<namespace>.svc.cluster.local port: number: <service-port>Add an AuthorizationPolicy to allow the istio ingress proxy to forward to your workload
apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: auth-policy spec: action: ALLOW rules: - from: - source: principals: - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account to: - operation: hosts: - <subdomain>.<domain>